Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-2601

Опубликовано: 15 нояб. 2022
Источник: redhat
CVSS3: 8.2
EPSS Низкий

Описание

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

A flaw was found where a maliciously crafted pf2 font could lead to an out-of-bounds write in grub2. A successful attack can lead to memory corruption and secure boot circumvention.

Отчет

Grub code needs to be updated after installing the relevant RPM. For RHEL systems installed on machines with EFI based BIOS : sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg For RHEL systems installed on machines with legacy (msdos) based BIOS : sudo grub2-mkconfig -o /boot/grub2/grub.cfg For BIOS based systems, after completing yum update, grub2-install needs to be run against the device where the boot partition is, for example, grub2-install /dev/vda.

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-122->CWE-787
https://bugzilla.redhat.com/show_bug.cgi?id=2112975grub2: Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass

EPSS

Процентиль: 22%
0.00069
Низкий

8.2 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-2601

CVSS3: 8.6
ubuntu
больше 2 лет назад

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

nvd логотип

CVE-2022-2601

CVSS3: 8.6
nvd
больше 2 лет назад

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

msrc логотип

CVE-2022-2601

CVSS3: 8.6
msrc
9 месяцев назад

Redhat: CVE-2022-2601 grub2 - Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass

debian логотип

CVE-2022-2601

CVSS3: 8.6
debian
больше 2 лет назад

A buffer overflow was found in grub_font_construct_glyph(). A maliciou ...

github логотип

GHSA-c8f6-x9xm-x27g

CVSS3: 8.6
github
больше 2 лет назад

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

EPSS

Процентиль: 22%
0.00069
Низкий

8.2 High

CVSS3